Russian GRU Targeting Western Logistics Entities and Technology Companies

    Thursday, May 22, 2025 In: Threat Research Print

    Date: 05/22/2025

    Severity: Critical

    Summary

    A Russian state-sponsored cyber campaign has been targeting Western logistics and technology firms, transport, especially those aiding Ukraine’s foreign assistance efforts. Since 2022, these sectors have been under increased threat from GRU’s 85th Main Special Service Center (Unit 26165). The campaign uses known cyber espionage tactics and techniques. Ongoing targeting and similar TTPs are expected to persist.

    Indicators of Compromise (IOC) List 

    Domains\URLs :

    portugalmail.pt

    mail-online.dk

    email.cz

    seznam.cz

    IP Address : 

    213.32.252.221

    124.168.91.178

    194.126.178.8

    159.196.128.120

    192.162.174.94

    207.244.71.84

    31.135.199.145

    79.184.25.198

    91.149.253.204  

    103.97.203.29

    162.210.194.2

    31.42.4.138

    79.185.5.142

    91.149.254.75  

    209.14.71.127

    46.112.70.252

    83.10.46.174

    91.149.255.122  

    109.95.151.207

    46.248.185.236

    83.168.66.145

    91.149.255.19  

    64.176.67.117

    83.168.78.27

    91.149.255.195  

    64.176.69.196

    83.168.78.31 

    91.221.88.76  

    64.176.70.18

    83.168.78.55 

    93.105.185.139  

    64.176.70.238

    83.23.130.49 

    95.215.76.209  

    64.176.71.201

    83.29.138.115 

    138.199.59.43  

    70.34.242.220

    89.64.70.69 

    147.135.209.245  

    70.34.243.226

    90.156.4.204 

    178.235.191.182  

    70.34.244.100

    91.149.202.215 

    178.37.97.243  

    70.34.245.215

    91.149.203.73 

    185.234.235.69  

    70.34.252.168

    91.149.219.158

    192.162.174.67  

    70.34.252.186

    91.149.219.23 

    194.187.180.20  

    70.34.252.222

    91.149.223.130 

    212.127.78.170  

    70.34.253.13

    91.149.253.118

    213.134.184.167

    70.34.253.247 

    91.149.253.198   

    70.34.254.245

    91.149.253.20   

    Email Address : 

    md-shoeb@alfathdoor.com.sa

    jayam@wizzsolutions.com

    accounts@regencyservice.in

    m.salim@tsc-me.com

    vikram.anand@4ginfosource.com

    mdelafuente@ukwwfze.com

    sarah@cosmicgold469.co.za

    franch1.lanka@bplanka.com

    commerical@vanadrink.com

    maint@goldenloaduae.com

    karina@bhpcapital.com

    tv@coastalareabank.com

    ashoke.kumar@hbclife.in

    Filenames : 

    calc.war.zip

    news_week_6.zip

    Roadmap.zip

    SEDE-PV-2023-10-09-1_EN.zip

    war.zip

    Zeyilname.zip

    Commandline :

    edge.exe “-headless-new -disable-gpu”

    ntdsutil.exe "activate instance ntds" ifm "create full C:\temp\[a-z]{3}" quit quit

    ssh -Nf

    schtasks /create /xml

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\URLs : 

    domainname like "portugalmail.pt" or url like "portugalmail.pt" or siteurl like "portugalmail.pt" or domainname like "mail-online.dk" or url like "mail-online.dk" or siteurl like "mail-online.dk" or domainname like "email.cz" or url like "email.cz" or siteurl like "email.cz" or domainname like "seznam.cz" or url like "seznam.cz" or siteurl like "seznam.cz" 

    IP Address : 

    dstipaddress IN ("83.168.78.27","91.149.219.23","185.234.235.69","209.14.71.127","70.34.252.222","70.34.254.245","109.95.151.207","159.196.128.120","138.199.59.43","83.29.138.115","46.248.185.236","213.32.252.221","79.185.5.142","91.149.254.75","194.187.180.20","90.156.4.204","70.34.243.226","91.149.253.204","70.34.252.186","70.34.253.13","46.112.70.252","83.168.66.145","93.105.185.139","70.34.242.220","70.34.245.215","31.135.199.145","70.34.244.100","212.127.78.170","64.176.69.196","64.176.71.201","64.176.70.238","79.184.25.198","213.134.184.167","91.149.255.195","83.23.130.49","91.149.253.118","124.168.91.178","83.168.78.55","70.34.252.168","91.149.203.73","83.168.78.31","103.97.203.29","178.235.191.182","91.149.253.20","194.126.178.8","91.149.255.122","192.162.174.94","207.244.71.84","162.210.194.2","31.42.4.138","83.10.46.174","91.149.255.19","64.176.67.117","91.221.88.76","64.176.70.18","95.215.76.209","89.64.70.69","147.135.209.245","91.149.202.215","178.37.97.243","91.149.219.158","192.162.174.67","91.149.223.130","70.34.253.247","91.149.253.198") OR srcipaddress IN ("83.168.78.27","91.149.219.23","185.234.235.69","209.14.71.127","70.34.252.222","70.34.254.245","109.95.151.207","159.196.128.120","138.199.59.43","83.29.138.115","46.248.185.236","213.32.252.221","79.185.5.142","91.149.254.75","194.187.180.20","90.156.4.204","70.34.243.226","91.149.253.204","70.34.252.186","70.34.253.13","46.112.70.252","83.168.66.145","93.105.185.139","70.34.242.220","70.34.245.215","31.135.199.145","70.34.244.100","212.127.78.170","64.176.69.196","64.176.71.201","64.176.70.238","79.184.25.198","213.134.184.167","91.149.255.195","83.23.130.49","91.149.253.118","124.168.91.178","83.168.78.55","70.34.252.168","91.149.203.73","83.168.78.31","103.97.203.29","178.235.191.182","91.149.253.20","194.126.178.8","91.149.255.122","192.162.174.94","207.244.71.84","162.210.194.2","31.42.4.138","83.10.46.174","91.149.255.19","64.176.67.117","91.221.88.76","64.176.70.18","95.215.76.209","89.64.70.69","147.135.209.245","91.149.202.215","178.37.97.243","91.149.219.158","192.162.174.67","91.149.223.130","70.34.253.247","91.149.253.198")

    Detection Query :

    resourcename = "Windows Security"  AND eventtype = "4688" and processname like "edge.exe" and commandline like "-headless-new -disable-gpu"

    Detection Query :

    technologygroup = "EDR" and processname like "edge.exe" and commandline like "-headless-new -disable-gpu"

    Detection Query :

    resourcename = "Windows Security" and eventtype = "4688" and processname like "ntdsutil.exe" and (commandline like "activate instance ntds" or commandline like "ifm" or commandline like "create full C:\temp\[a-z]{3}" or commandline like "quit quit")

    Detection Query :

    technologygroup = "EDR" and processname like "ntdsutil.exe" and (commandline like "activate instance ntds" or commandline like "ifm" or commandline like "create full C:\temp\[a-z]{3}" or commandline like "quit quit")

    Detection Query :

    resourcename = "Windows Security" and eventtype = "4688"  and commandline like "ssh -Nf"

    Detection Query :

    technologygroup = "EDR"  and commandline like "ssh -Nf" 

    Detection Query :

    resourcename = "Windows Security" and eventtype = "4688"  and commandline like "schtasks /create /xml" 

    Detection Query :

    technologygroup = "EDR"  and commandline like "schtasks /create /xml"

    Detection Query :

    resourcename = "Windows Security" and eventtype = "4663" and fileobjectname In ( "calc.war.zip","news_week_6.zip","Roadmap.zip","SEDE-PV-2023-10-09-1_EN.zip","war.zip","Zeyilname.zip" )

    Detection Query :

    technologygroup = "EDR" and fileobjectname In ( "calc.war.zip","news_week_6.zip","Roadmap.zip","SEDE-PV-2023-10-09-1_EN.zip","war.zip","Zeyilname.zip")

    Email Address : 

    Sender IN ("md-shoeb@alfathdoor.com.sa","jayam@wizzsolutions.com","accounts@regencyservice.in","m.salim@tsc-me.com","vikram.anand@4ginfosource.com","mdelafuente@ukwwfze.com","sarah@cosmicgold469.co.za","franch1.lanka@bplanka.com","commerical@vanadrink.com","maint@goldenloaduae.com","karina@bhpcapital.com","tv@coastalareabank.com","ashoke.kumar@hbclife.in")

    Reference:

    https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-141a#CybersecurityIndustryTracking


    Tags

    CISARussiaUkraineWestern logisticsTransportation SystemsRussian GRU

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.